diff options
Diffstat (limited to 'modules/pam_namespace')
| -rw-r--r-- | modules/pam_namespace/Makefile.am | 37 | ||||
| -rw-r--r-- | modules/pam_namespace/Makefile.in | 287 | ||||
| -rw-r--r-- | modules/pam_namespace/README | 5 | ||||
| -rw-r--r-- | modules/pam_namespace/md5.c | 6 | ||||
| -rw-r--r-- | modules/pam_namespace/md5.h | 4 | ||||
| -rw-r--r-- | modules/pam_namespace/namespace.conf | 5 | ||||
| -rw-r--r-- | modules/pam_namespace/namespace.conf.5 | 21 | ||||
| -rw-r--r-- | modules/pam_namespace/namespace.conf.5.xml | 11 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace.8 | 6 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace.c | 90 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace.h | 5 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace.service.in | 11 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace_helper.8 | 49 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace_helper.8.xml | 62 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace_helper.in | 15 |
15 files changed, 471 insertions, 143 deletions
diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am index ebb00f36..21e1b33a 100644 --- a/modules/pam_namespace/Makefile.am +++ b/modules/pam_namespace/Makefile.am @@ -4,26 +4,24 @@ # CLEANFILES = *~ -MAINTAINERCLEANFILES = $(MAN5) $(MAN8) README +MAINTAINERCLEANFILES = $(MANS) README -MAN5 = namespace.conf.5 -MAN8 = pam_namespace.8 +EXTRA_DIST = $(XMLS) -EXTRA_DIST = README namespace.conf namespace.init $(MAN5) $(MAN8) $(XMLS) tst-pam_namespace - -if HAVE_UNSHARE - TESTS = tst-pam_namespace - man_MANS = $(MAN5) $(MAN8) +if HAVE_DOC +dist_man_MANS = namespace.conf.5 pam_namespace.8 pam_namespace_helper.8 endif - -XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml +XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml pam_namespace_helper.8.xml +dist_check_SCRIPTS = tst-pam_namespace +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) namespaceddir = $(SCONFIGDIR)/namespace.d +servicedir = $(prefix)/lib/systemd/system AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" + -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -31,21 +29,20 @@ endif noinst_HEADERS = md5.h pam_namespace.h argv_parse.h -if HAVE_UNSHARE - securelib_LTLIBRARIES = pam_namespace.la - pam_namespace_la_SOURCES = pam_namespace.c md5.c argv_parse.c - pam_namespace_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ +securelib_LTLIBRARIES = pam_namespace.la +pam_namespace_la_SOURCES = pam_namespace.c md5.c argv_parse.c +pam_namespace_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ - secureconf_DATA = namespace.conf - secureconf_SCRIPTS = namespace.init +dist_secureconf_DATA = namespace.conf +dist_secureconf_SCRIPTS = namespace.init +service_DATA = pam_namespace.service install-data-local: mkdir -p $(DESTDIR)$(namespaceddir) -endif +sbin_SCRIPTS = pam_namespace_helper if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_namespace.8.xml namespace.conf.5.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_namespace/Makefile.in b/modules/pam_namespace/Makefile.in index 9f0c2d9c..7524287e 100644 --- a/modules/pam_namespace/Makefile.in +++ b/modules/pam_namespace/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2018 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -23,7 +23,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -88,9 +98,6 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_namespace -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp $(noinst_HEADERS) \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ @@ -106,9 +113,12 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(dist_secureconf_SCRIPTS) $(am__dist_noinst_DATA_DIST) \ + $(dist_secureconf_DATA) $(noinst_HEADERS) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_FILES = +CONFIG_CLEAN_FILES = pam_namespace_helper pam_namespace.service CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ @@ -138,21 +148,18 @@ am__uninstall_files_from_dir = { \ $(am__cd) "$$dir" && rm -f $$files; }; \ } am__installdirs = "$(DESTDIR)$(securelibdir)" \ - "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(man5dir)" \ - "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" + "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(sbindir)" \ + "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" \ + "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(servicedir)" LTLIBRARIES = $(securelib_LTLIBRARIES) -@HAVE_UNSHARE_TRUE@pam_namespace_la_DEPENDENCIES = \ -@HAVE_UNSHARE_TRUE@ $(top_builddir)/libpam/libpam.la -am__pam_namespace_la_SOURCES_DIST = pam_namespace.c md5.c argv_parse.c -@HAVE_UNSHARE_TRUE@am_pam_namespace_la_OBJECTS = pam_namespace.lo \ -@HAVE_UNSHARE_TRUE@ md5.lo argv_parse.lo +pam_namespace_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +am_pam_namespace_la_OBJECTS = pam_namespace.lo md5.lo argv_parse.lo pam_namespace_la_OBJECTS = $(am_pam_namespace_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = -@HAVE_UNSHARE_TRUE@am_pam_namespace_la_rpath = -rpath $(securelibdir) -SCRIPTS = $(secureconf_SCRIPTS) +SCRIPTS = $(dist_secureconf_SCRIPTS) $(sbin_SCRIPTS) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -167,7 +174,9 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/argv_parse.Plo ./$(DEPDIR)/md5.Plo \ + ./$(DEPDIR)/pam_namespace.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -188,7 +197,7 @@ am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(pam_namespace_la_SOURCES) -DIST_SOURCES = $(am__pam_namespace_la_SOURCES_DIST) +DIST_SOURCES = $(pam_namespace_la_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -197,8 +206,9 @@ am__can_run_installinfo = \ man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) $(secureconf_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) $(dist_secureconf_DATA) $(service_DATA) HEADERS = $(noinst_HEADERS) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, @@ -396,6 +406,11 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(srcdir)/pam_namespace.service.in \ + $(srcdir)/pam_namespace_helper.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -424,6 +439,8 @@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ @@ -432,7 +449,6 @@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -468,6 +484,7 @@ LN_S = @LN_S@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ @@ -504,11 +521,13 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ USE_NLS = @USE_NLS@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -576,27 +595,29 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ -MAINTAINERCLEANFILES = $(MAN5) $(MAN8) README -MAN5 = namespace.conf.5 -MAN8 = pam_namespace.8 -EXTRA_DIST = README namespace.conf namespace.init $(MAN5) $(MAN8) $(XMLS) tst-pam_namespace -@HAVE_UNSHARE_TRUE@TESTS = tst-pam_namespace -@HAVE_UNSHARE_TRUE@man_MANS = $(MAN5) $(MAN8) -XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml +MAINTAINERCLEANFILES = $(MANS) README +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = namespace.conf.5 pam_namespace.8 pam_namespace_helper.8 +XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml pam_namespace_helper.8.xml +dist_check_SCRIPTS = tst-pam_namespace +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) namespaceddir = $(SCONFIGDIR)/namespace.d +servicedir = $(prefix)/lib/systemd/system AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" + -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) noinst_HEADERS = md5.h pam_namespace.h argv_parse.h -@HAVE_UNSHARE_TRUE@securelib_LTLIBRARIES = pam_namespace.la -@HAVE_UNSHARE_TRUE@pam_namespace_la_SOURCES = pam_namespace.c md5.c argv_parse.c -@HAVE_UNSHARE_TRUE@pam_namespace_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ -@HAVE_UNSHARE_TRUE@secureconf_DATA = namespace.conf -@HAVE_UNSHARE_TRUE@secureconf_SCRIPTS = namespace.init -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +securelib_LTLIBRARIES = pam_namespace.la +pam_namespace_la_SOURCES = pam_namespace.c md5.c argv_parse.c +pam_namespace_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ +dist_secureconf_DATA = namespace.conf +dist_secureconf_SCRIPTS = namespace.init +service_DATA = pam_namespace.service +sbin_SCRIPTS = pam_namespace_helper +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -613,14 +634,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_namespace/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_namespace/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -631,6 +651,10 @@ $(top_srcdir)/configure: $(am__configure_deps) $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +pam_namespace_helper: $(top_builddir)/config.status $(srcdir)/pam_namespace_helper.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +pam_namespace.service: $(top_builddir)/config.status $(srcdir)/pam_namespace.service.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @@ -668,10 +692,10 @@ clean-securelibLTLIBRARIES: } pam_namespace.la: $(pam_namespace_la_OBJECTS) $(pam_namespace_la_DEPENDENCIES) $(EXTRA_pam_namespace_la_DEPENDENCIES) - $(AM_V_CCLD)$(LINK) $(am_pam_namespace_la_rpath) $(pam_namespace_la_OBJECTS) $(pam_namespace_la_LIBADD) $(LIBS) -install-secureconfSCRIPTS: $(secureconf_SCRIPTS) + $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_namespace_la_OBJECTS) $(pam_namespace_la_LIBADD) $(LIBS) +install-dist_secureconfSCRIPTS: $(dist_secureconf_SCRIPTS) @$(NORMAL_INSTALL) - @list='$(secureconf_SCRIPTS)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_SCRIPTS)'; test -n "$(secureconfdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(secureconfdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" || exit 1; \ @@ -698,12 +722,47 @@ install-secureconfSCRIPTS: $(secureconf_SCRIPTS) } \ ; done -uninstall-secureconfSCRIPTS: +uninstall-dist_secureconfSCRIPTS: @$(NORMAL_UNINSTALL) - @list='$(secureconf_SCRIPTS)'; test -n "$(secureconfdir)" || exit 0; \ + @list='$(dist_secureconf_SCRIPTS)'; test -n "$(secureconfdir)" || exit 0; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 's,.*/,,;$(transform)'`; \ dir='$(DESTDIR)$(secureconfdir)'; $(am__uninstall_files_from_dir) +install-sbinSCRIPTS: $(sbin_SCRIPTS) + @$(NORMAL_INSTALL) + @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n' \ + -e 'h;s|.*|.|' \ + -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) { files[d] = files[d] " " $$1; \ + if (++n[d] == $(am__install_max)) { \ + print "f", d, files[d]; n[d] = 0; files[d] = "" } } \ + else { print "f", d "/" $$4, $$1 } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ + $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-sbinSCRIPTS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || exit 0; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 's,.*/,,;$(transform)'`; \ + dir='$(DESTDIR)$(sbindir)'; $(am__uninstall_files_from_dir) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -711,23 +770,29 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/argv_parse.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_namespace.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/argv_parse.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_namespace.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -741,10 +806,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man5: $(man_MANS) +install-man5: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man5dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -779,15 +844,15 @@ uninstall-man5: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man5dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.5[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -822,14 +887,14 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) -install-secureconfDATA: $(secureconf_DATA) +install-dist_secureconfDATA: $(dist_secureconf_DATA) @$(NORMAL_INSTALL) - @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(secureconfdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" || exit 1; \ @@ -843,11 +908,32 @@ install-secureconfDATA: $(secureconf_DATA) $(INSTALL_DATA) $$files "$(DESTDIR)$(secureconfdir)" || exit $$?; \ done -uninstall-secureconfDATA: +uninstall-dist_secureconfDATA: @$(NORMAL_UNINSTALL) - @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(secureconfdir)'; $(am__uninstall_files_from_dir) +install-serviceDATA: $(service_DATA) + @$(NORMAL_INSTALL) + @list='$(service_DATA)'; test -n "$(servicedir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(servicedir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(servicedir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(servicedir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(servicedir)" || exit $$?; \ + done + +uninstall-serviceDATA: + @$(NORMAL_UNINSTALL) + @list='$(service_DATA)'; test -n "$(servicedir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(servicedir)'; $(am__uninstall_files_from_dir) ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique @@ -931,7 +1017,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -1021,7 +1107,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -1031,7 +1117,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -1064,7 +1150,10 @@ tst-pam_namespace.log: tst-pam_namespace @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -1095,11 +1184,12 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(SCRIPTS) $(MANS) $(DATA) $(HEADERS) installdirs: - for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)"; do \ + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(servicedir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -1137,14 +1227,15 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) -@HAVE_UNSHARE_FALSE@install-data-local: clean: clean-am clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/argv_parse.Plo + -rm -f ./$(DEPDIR)/md5.Plo + -rm -f ./$(DEPDIR)/pam_namespace.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1161,14 +1252,15 @@ info: info-am info-am: -install-data-am: install-data-local install-man install-secureconfDATA \ - install-secureconfSCRIPTS install-securelibLTLIBRARIES +install-data-am: install-data-local install-dist_secureconfDATA \ + install-dist_secureconfSCRIPTS install-man \ + install-securelibLTLIBRARIES install-serviceDATA install-dvi: install-dvi-am install-dvi-am: -install-exec-am: +install-exec-am: install-sbinSCRIPTS install-html: install-html-am @@ -1191,7 +1283,9 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/argv_parse.Plo + -rm -f ./$(DEPDIR)/md5.Plo + -rm -f ./$(DEPDIR)/pam_namespace.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1208,36 +1302,41 @@ ps: ps-am ps-am: -uninstall-am: uninstall-man uninstall-secureconfDATA \ - uninstall-secureconfSCRIPTS uninstall-securelibLTLIBRARIES +uninstall-am: uninstall-dist_secureconfDATA \ + uninstall-dist_secureconfSCRIPTS uninstall-man \ + uninstall-sbinSCRIPTS uninstall-securelibLTLIBRARIES \ + uninstall-serviceDATA uninstall-man: uninstall-man5 uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-data-local install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am install-man \ - install-man5 install-man8 install-pdf install-pdf-am \ - install-ps install-ps-am install-secureconfDATA \ - install-secureconfSCRIPTS install-securelibLTLIBRARIES \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am recheck tags tags-am uninstall \ - uninstall-am uninstall-man uninstall-man5 uninstall-man8 \ - uninstall-secureconfDATA uninstall-secureconfSCRIPTS \ - uninstall-securelibLTLIBRARIES - - -@HAVE_UNSHARE_TRUE@install-data-local: -@HAVE_UNSHARE_TRUE@ mkdir -p $(DESTDIR)$(namespaceddir) -@ENABLE_REGENERATE_MAN_TRUE@README: pam_namespace.8.xml namespace.conf.5.xml +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-data-local install-dist_secureconfDATA \ + install-dist_secureconfSCRIPTS install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-man5 \ + install-man8 install-pdf install-pdf-am install-ps \ + install-ps-am install-sbinSCRIPTS install-securelibLTLIBRARIES \ + install-serviceDATA install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am recheck tags tags-am \ + uninstall uninstall-am uninstall-dist_secureconfDATA \ + uninstall-dist_secureconfSCRIPTS uninstall-man uninstall-man5 \ + uninstall-man8 uninstall-sbinSCRIPTS \ + uninstall-securelibLTLIBRARIES uninstall-serviceDATA + +.PRECIOUS: Makefile + + +install-data-local: + mkdir -p $(DESTDIR)$(namespaceddir) @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_namespace/README b/modules/pam_namespace/README index 6c580d6a..106a073a 100644 --- a/modules/pam_namespace/README +++ b/modules/pam_namespace/README @@ -169,7 +169,10 @@ contain the user name and will be shared among all users. mntopts=value - value of this flag is passed to the mount call when the tmpfs mount is done. It allows for example the specification of the maximum size of -the tmpfs instance that is created by the mount call. See mount(8) for details. +the tmpfs instance that is created by the mount call. In addition to options +specified in the tmpfs(5) manual the nosuid, noexec, and nodev flags can be +used to respectively disable setuid bit effect, disable running executables, +and disable devices to be interpreted on the mounted tmpfs filesystem. The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 0000. The requirement that the instance diff --git a/modules/pam_namespace/md5.c b/modules/pam_namespace/md5.c index dc95ab14..b9a7f084 100644 --- a/modules/pam_namespace/md5.c +++ b/modules/pam_namespace/md5.c @@ -26,12 +26,14 @@ #if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__) #define byteReverse(buf, len) /* Nothing */ #else -static void byteReverse(unsigned char *buf, unsigned longs); +typedef unsigned char PAM_ATTRIBUTE_ALIGNED(4) uint8_aligned; + +static void byteReverse(uint8_aligned *buf, unsigned longs); /* * Note: this code is harmless on little-endian machines. */ -static void byteReverse(unsigned char *buf, unsigned longs) +static void byteReverse(uint8_aligned *buf, unsigned longs) { uint32 t; do { diff --git a/modules/pam_namespace/md5.h b/modules/pam_namespace/md5.h index 73f85833..bded3302 100644 --- a/modules/pam_namespace/md5.h +++ b/modules/pam_namespace/md5.h @@ -2,12 +2,14 @@ #ifndef MD5_H #define MD5_H +#include "pam_cc_compat.h" + typedef unsigned int uint32; struct MD5Context { uint32 buf[4]; uint32 bits[2]; - unsigned char in[64]; + unsigned char in[64] PAM_ATTRIBUTE_ALIGNED(4); }; #define MD5_DIGEST_LENGTH 16 diff --git a/modules/pam_namespace/namespace.conf b/modules/pam_namespace/namespace.conf index b611a0f2..75ec6193 100644 --- a/modules/pam_namespace/namespace.conf +++ b/modules/pam_namespace/namespace.conf @@ -21,7 +21,10 @@ # is explicitly called with an argument to ignore the mode of the # instance parent. System administrators should use this argument with # caution, as it will reduce security and isolation achieved by -# polyinstantiation. +# polyinstantiation. The parent directories (except $HOME) are created +# at boot by pam_namespace_helper, but in a live system, system +# administrators should create the parent directories before enabling +# them here. # #/tmp /tmp-inst/ level root,adm #/var/tmp /var/tmp/tmp-inst/ level root,adm diff --git a/modules/pam_namespace/namespace.conf.5 b/modules/pam_namespace/namespace.conf.5 index be3458f8..be186c9d 100644 --- a/modules/pam_namespace/namespace.conf.5 +++ b/modules/pam_namespace/namespace.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: namespace.conf .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 06/08/2020 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "NAMESPACE\&.CONF" "5" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "NAMESPACE\&.CONF" "5" "06/08/2020" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -53,7 +53,10 @@ characters also escape sequences \fI\et\fR are recognized\&. The fields are as follows: .PP -\fIpolydir\fR\fIinstance_prefix\fR\fImethod\fR\fIlist_of_uids\fR +\fIpolydir\fR +\fIinstance_prefix\fR +\fImethod\fR +\fIlist_of_uids\fR .PP The first field, \fIpolydir\fR, is the absolute pathname of the directory to polyinstantiate\&. The special string @@ -98,9 +101,13 @@ characters\&. \- the instance directories for "context" and "level" methods will not contain the user name and will be shared among all users\&. .PP \fImntopts\fR=\fIvalue\fR -\- value of this flag is passed to the mount call when the tmpfs mount is done\&. It allows for example the specification of the maximum size of the tmpfs instance that is created by the mount call\&. See -\fBmount\fR(8) -for details\&. +\- value of this flag is passed to the mount call when the tmpfs mount is done\&. It allows for example the specification of the maximum size of the tmpfs instance that is created by the mount call\&. In addition to options specified in the +\fBtmpfs\fR(5) +manual the +\fInosuid\fR, +\fInoexec\fR, and +\fInodev\fR +flags can be used to respectively disable setuid bit effect, disable running executables, and disable devices to be interpreted on the mounted tmpfs filesystem\&. .PP The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 0000\&. The requirement that the instance parent be of mode 0000 can be overridden with the command line option \fIignore_instance_parent_mode\fR diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml index c7698cb4..a94b49e2 100644 --- a/modules/pam_namespace/namespace.conf.5.xml +++ b/modules/pam_namespace/namespace.conf.5.xml @@ -122,9 +122,14 @@ <para><emphasis>mntopts</emphasis>=<replaceable>value</replaceable> - value of this flag is passed to the mount call when the tmpfs mount is done. It allows for example the specification of the maximum size of the - tmpfs instance that is created by the mount call. See <citerefentry> - <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> for details. + tmpfs instance that is created by the mount call. In addition to + options specified in the <citerefentry> + <refentrytitle>tmpfs</refentrytitle><manvolnum>5</manvolnum> + </citerefentry> manual the <emphasis>nosuid</emphasis>, + <emphasis>noexec</emphasis>, and <emphasis>nodev</emphasis> flags + can be used to respectively disable setuid bit effect, disable running + executables, and disable devices to be interpreted on the mounted + tmpfs filesystem. </para> <para> diff --git a/modules/pam_namespace/pam_namespace.8 b/modules/pam_namespace/pam_namespace.8 index 630f1a92..6fca41f4 100644 --- a/modules/pam_namespace/pam_namespace.8 +++ b/modules/pam_namespace/pam_namespace.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_namespace .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 06/08/2020 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_NAMESPACE" "8" "05/18/2017" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_NAMESPACE" "8" "06/08/2020" "Linux-PAM Manual" "Linux-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index f541f891..63b5c665 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -34,6 +34,8 @@ #define _ATFILE_SOURCE +#include "pam_cc_compat.h" +#include "pam_inline.h" #include "pam_namespace.h" #include "argv_parse.h" @@ -230,6 +232,73 @@ static int parse_iscript_params(char *params, struct polydir_s *poly) return 0; } +struct mntflag { + const char *name; + size_t len; + unsigned long flag; +}; + +#define LITERAL_AND_LEN(x) x, sizeof(x) - 1 + +static const struct mntflag mntflags[] = { + { LITERAL_AND_LEN("noexec"), MS_NOEXEC }, + { LITERAL_AND_LEN("nosuid"), MS_NOSUID }, + { LITERAL_AND_LEN("nodev"), MS_NODEV } + }; + +static int filter_mntopts(const char *opts, char **filtered, + unsigned long *mountflags) +{ + size_t origlen = strlen(opts); + const char *end; + char *dest; + + dest = *filtered = NULL; + *mountflags = 0; + + if (origlen == 0) + return 0; + + do { + size_t len; + unsigned int i; + + end = strchr(opts, ','); + if (end == NULL) { + len = strlen(opts); + } else { + len = end - opts; + } + + for (i = 0; i < PAM_ARRAY_SIZE(mntflags); i++) { + if (mntflags[i].len != len) + continue; + if (memcmp(mntflags[i].name, opts, len) == 0) { + *mountflags |= mntflags[i].flag; + opts = end; + break; + } + } + + if (opts != end) { + if (dest != NULL) { + *dest = ','; + ++dest; + } else { + dest = *filtered = calloc(1, origlen + 1); + if (dest == NULL) + return -1; + } + memcpy(dest, opts, len); + dest += len; + } + + opts = end + 1; + } while (end != NULL); + + return 0; +} + static int parse_method(char *method, struct polydir_s *poly, struct instance_data *idata) { @@ -289,7 +358,8 @@ static int parse_method(char *method, struct polydir_s *poly, break; } free(poly->mount_opts); /* if duplicate mntopts specified */ - if ((poly->mount_opts = strdup(flag+namelen+1)) == NULL) { + poly->mount_opts = NULL; + if (filter_mntopts(flag+namelen+1, &poly->mount_opts, &poly->mount_flags) != 0) { pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error"); return -1; } @@ -670,7 +740,7 @@ static int parse_config_file(struct instance_data *idata) /* - * This funtion returns true if a given uid is present in the polyinstantiated + * This function returns true if a given uid is present in the polyinstantiated * directory's list of override uids. If the uid is one of the override * uids for the polyinstantiated directory, polyinstantiation is not * performed for that user for that directory. @@ -810,7 +880,7 @@ static int form_context(const struct polydir_s *polyptr, goto fail; } if (context_range_set(fcontext, context_range_get(scontext)) != 0) { - pam_syslog(idata->pamh, LOG_ERR, "Unable to set MLS Componant of context"); + pam_syslog(idata->pamh, LOG_ERR, "Unable to set MLS Component of context"); goto fail; } *i_context=strdup(context_str(fcontext)); @@ -1484,7 +1554,7 @@ static int ns_setup(struct polydir_s *polyptr, } if (polyptr->method == TMPFS) { - if (mount("tmpfs", polyptr->dir, "tmpfs", 0, polyptr->mount_opts) < 0) { + if (mount("tmpfs", polyptr->dir, "tmpfs", polyptr->mount_flags, polyptr->mount_opts) < 0) { pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m", polyptr->dir); return PAM_SESSION_ERR; @@ -1941,7 +2011,7 @@ static int root_shared(void) break; if (i == 6) { - if (strncmp(tok, "shared:", 7) == 0) + if (pam_str_skip_prefix(tok, "shared:") != NULL) /* there might be more / mounts, the last one counts */ rv = 1; else @@ -2109,7 +2179,7 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, { int i, retval; struct instance_data idata; - void *polyptr; + const void *polyptr; /* init instance data */ idata.flags = 0; @@ -2149,7 +2219,7 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, pam_set_data(idata.pamh, NAMESPACE_PROTECT_DATA, NULL, NULL); if (idata.flags & PAMNS_DEBUG) - pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful"); + pam_syslog(idata.pamh, LOG_DEBUG, "close_session - successful"); return PAM_SUCCESS; } @@ -2157,12 +2227,14 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, if (retval != PAM_SUCCESS) return retval; - retval = pam_get_data(idata.pamh, NAMESPACE_POLYDIR_DATA, (const void **)&polyptr); + retval = pam_get_data(idata.pamh, NAMESPACE_POLYDIR_DATA, &polyptr); if (retval != PAM_SUCCESS || polyptr == NULL) /* nothing to reset */ return PAM_SUCCESS; - idata.polydirs_ptr = polyptr; + DIAG_PUSH_IGNORE_CAST_QUAL; + idata.polydirs_ptr = (void *)polyptr; + DIAG_POP_IGNORE_CAST_QUAL; if (idata.flags & PAMNS_DEBUG) pam_syslog(idata.pamh, LOG_DEBUG, "Resetting namespace for pid %d", diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h index 47ebcc33..3a1e4ba3 100644 --- a/modules/pam_namespace/pam_namespace.h +++ b/modules/pam_namespace/pam_namespace.h @@ -138,12 +138,12 @@ enum polymethod { /* * Depending on the application using this namespace module, we - * may need to unmount priviously bind mounted instance directory. + * may need to unmount previously bind mounted instance directory. * Applications such as login and sshd, that establish a new * session unmount of instance directory is not needed. For applications * such as su and newrole, that switch the identity, this module * has to unmount previous instance directory first and re-mount - * based on the new indentity. For other trusted applications that + * based on the new identity. For other trusted applications that * just want to undo polyinstantiation, only unmount of previous * instance directory is needed. */ @@ -166,6 +166,7 @@ struct polydir_s { unsigned int flags; /* polydir flags */ char *init_script; /* path to init script */ char *mount_opts; /* mount options for tmpfs mount */ + unsigned long mount_flags; /* mount flags for tmpfs mount */ uid_t owner; /* user which should own the polydir */ gid_t group; /* group which should own the polydir */ mode_t mode; /* mode of the polydir */ diff --git a/modules/pam_namespace/pam_namespace.service.in b/modules/pam_namespace/pam_namespace.service.in new file mode 100644 index 00000000..e2311917 --- /dev/null +++ b/modules/pam_namespace/pam_namespace.service.in @@ -0,0 +1,11 @@ +[Unit] +After=local-fs.target +Before=multi-user.target shutdown.target +Conflicts=shutdown.target +DefaultDependencies=no +Description=Make sure parent directories configured in @SCONFIGDIR@/namespace.conf for polyinstantiation exist +Documentation=man:pam_namespace(8) + +[Service] +ExecStart=@sbindir@/pam_namespace_helper +Type=oneshot diff --git a/modules/pam_namespace/pam_namespace_helper.8 b/modules/pam_namespace/pam_namespace_helper.8 new file mode 100644 index 00000000..88fbe71f --- /dev/null +++ b/modules/pam_namespace/pam_namespace_helper.8 @@ -0,0 +1,49 @@ +'\" t +.\" Title: pam_namespace_helper +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 06/08/2020 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_NAMESPACE_HELPER" "8" "06/08/2020" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_namespace_helper \- Helper binary that creates home directories +.SH "SYNOPSIS" +.HP \w'\fBpam_namespace_helper\fR\ 'u +\fBpam_namespace_helper\fR +.SH "DESCRIPTION" +.PP +\fIpam_namespace_helper\fR +is a helper program for the +\fIpam_namespace\fR +module that sets up a private namespace for a session with polyinstantiated directories\&. The helper ensures that the namespace mount points exist before they are started to be used for the polyinstantiated directories\&. Mount points for home directories (lines with $HOME) are not created\&. +.PP +\fIpam_namespace_helper\fR +should be run by systemd at system startup\&. It should also be run by the administrator after defining the polyinstantiated directories but before enabling them\&. +.SH "SEE ALSO" +.PP +\fBpam_namespace\fR(8) +.SH "AUTHOR" +.PP +Written by Topi Miettinen\&. diff --git a/modules/pam_namespace/pam_namespace_helper.8.xml b/modules/pam_namespace/pam_namespace_helper.8.xml new file mode 100644 index 00000000..2f5adbed --- /dev/null +++ b/modules/pam_namespace/pam_namespace_helper.8.xml @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_namespace_helper"> + + <refmeta> + <refentrytitle>pam_namespace_helper</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_namespace_helper-name"> + <refname>pam_namespace_helper</refname> + <refpurpose>Helper binary that creates home directories</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_namespace_helper-cmdsynopsis"> + <command>pam_namespace_helper</command> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_namespace_helper-description"> + + <title>DESCRIPTION</title> + + <para> + <emphasis>pam_namespace_helper</emphasis> is a helper program + for the <emphasis>pam_namespace</emphasis> module that sets up a + private namespace for a session with polyinstantiated + directories. The helper ensures that the namespace mount points + exist before they are started to be used for the + polyinstantiated directories. Mount points for home directories + (lines with $HOME) are not created. + </para> + + <para> + <emphasis>pam_namespace_helper</emphasis> should be run by + systemd at system startup. It should also be run by the + administrator after defining the polyinstantiated directories + but before enabling them. + </para> + </refsect1> + + <refsect1 id='pam_namespace_helper-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_namespace</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_namespace_helper-author'> + <title>AUTHOR</title> + <para> + Written by Topi Miettinen. + </para> + </refsect1> + +</refentry> diff --git a/modules/pam_namespace/pam_namespace_helper.in b/modules/pam_namespace/pam_namespace_helper.in new file mode 100644 index 00000000..b9c361fb --- /dev/null +++ b/modules/pam_namespace/pam_namespace_helper.in @@ -0,0 +1,15 @@ +#!/bin/sh + +CONF=@SCONFIGDIR@/namespace.conf + +# Match logic of process_line(), except lines with $HOME are ignored +# skip the leading white space, rip off the comments, ignore empty lines +sed -e 's/^[ ]*//g' -e 's/#.*//g' -e '/.*\$HOME.*/d' -e '/^$/d' < $CONF | \ + while read polydir instance_prefix method uids; do + if [ ! -e "$instance_prefix" ]; then + echo "mkdir $instance_prefix" + mkdir --parents --mode=0 -Z "$instance_prefix" + fi + done + +exit 0 |